PatchSiren cyber security CVE debrief
CVE-2024-39493 Siemens CVE debrief
This CVE addresses a memory leak and potential use-after-free (UAF) vulnerability in the Linux kernel's Intel QuickAssist Technology (QAT) crypto driver. The flaw exists in the ADF_DEV_RESET_SYNC mechanism, where using completion_done to check if a caller has finished only works correctly after a complete call has been made. Additionally, a race condition exists where the caller may not yet have invoked wait_for_completion, leading to potential UAF conditions. The fix involves modifying the caller to use cancel_work_sync and ensuring safe memory deallocation. Siemens has identified this vulnerability as affecting certain industrial networking products running SINEC OS, specifically the RUGGEDCOM RST2428P and SCALANCE X-family switches. The vulnerability is rated MEDIUM severity with a CVSS 3.1 score of 5.5, indicating local attack vector with low attack complexity and low privileges required, resulting in high availability impact.
- Vendor
- Siemens
- Product
- RUGGEDCOM RST2428P (6GK6242-6PA00)
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-04-09
- Original CVE updated
- 2026-05-14
- Advisory published
- 2024-04-09
- Advisory updated
- 2026-05-14
Who should care
Organizations running Siemens industrial networking equipment with SINEC OS versions prior to 3.1, including SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family switches, SCALANCE XCM-/XRM-/XCH-/XRH-300 family devices, and RUGGEDCOM RST2428P systems. Additionally, any Linux deployments utilizing Intel QuickAssist Technology cryptographic acceleration should verify kernel patch status.
Technical summary
The vulnerability resides in the Linux kernel's crypto/qat driver, specifically in the ADF_DEV_RESET_SYNC completion handling. The original implementation used completion_done() to determine if a caller had finished, which is unreliable before complete() is called and creates a race window where wait_for_completion() may not yet have been invoked by the caller. This results in memory leaks and potential use-after-free conditions. The corrected implementation uses cancel_work_sync() to properly synchronize work cancellation and ensure safe memory deallocation. The CVSS vector AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates local attack vector, low complexity, low privileges required, no user interaction, and high availability impact with no confidentiality or integrity impact.
Defensive priority
medium
Recommended defensive actions
- Apply vendor-provided updates to SINEC OS V3.1 or later for affected Siemens SCALANCE and RUGGEDCOM products
- For Linux kernel deployments, ensure kernel version includes the crypto/qat driver fix using cancel_work_sync pattern
- Review and update kernel configurations for systems utilizing Intel QuickAssist Technology (QAT) cryptographic acceleration
- Implement defense-in-depth strategies for industrial control systems per CISA recommended practices
- Monitor vendor security advisories for additional affected product announcements
Evidence notes
The vulnerability was disclosed in the Linux kernel crypto/qat driver. Siemens ProductCERT published advisory SSA-613116 addressing affected SINEC OS products. CISA republished this advisory as ICSA-25-226-15 on 2025-08-12, with subsequent updates through 2026-02-25 to correct affected product listings and remove rejected CVEs. The fix involves replacing completion_done checks with cancel_work_sync to prevent memory leaks and UAF conditions during device reset synchronization.
Official resources
-
CVE-2024-39493 CVE record
CVE.org
-
CVE-2024-39493 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-08-12